Comodo containment and HIPS against recent ransomware

Just in case anyone was wondering, Comodo Containment deals with the Darkside ransomware strain (the one that is all over the news the past few days) quite nicely. All system changes are prevented.

1 Like

Nice one, thanks for confirming! :-TU :rocks:

Thank you. That’s very good to know.

Do all default CIS config types protect against it the same way or only the pro-active one?
Does CIS need some special settings for optimal protection?

Thanks M . . . . nice to know and thanks for the info :-TU

The configuration doesn’t matter, nor does the actual Containment level (Partially Limited works just fine). Note also that the Firewall at Safe Mode will alert to the ransomware attempting to infect others on the Network,

Also for giggles, in addition to this one from the Darkside Group I also ran a few newer files that are all the rage this month on TOR. They come from what my friends at Mandiant have labeled as the UNC2447 group. Related to Deathransom (HelloKitty), the variants tested were FIVEHANDS and Sombrat. All were contained without any system changes.

Why Industry doesn’t use Comodo Endpoint is beyond me…

1 Like

I agree… and why they think having CRITICAL infrastructure connected to the internet as good security is beyond stupid regardless of their rhetoric.

It’s very interesting, and it’s nice to know that Comodo’s containment (in any configuration) protects us. :slight_smile:

Thank you and good to hear from you again. :slight_smile:

Thanks Eric! And if you would allow a followup- the FIVEHANDS ransomware I mentioned above is making the news today, example here:

One interesting thing about it is that although it is totally blocked by Comodo Containment, the encryption process would be allowed to proceed if ONLY the HIPS is enabled at Safe Mode (even if the user selects Block at every prompt).

I bring this up only for those that would prefer HIPS (any HIPS from anybody, actually) over Containment.

1 Like

How does Fivehand get around a HIPS? Is it a fileless malware that calls legit script engines? Is it living off the land?

I find that very hard to believe unless you expect HIPS to protect files that are not listed under protected files. If you add ?:* to protected files then all drivers will be protected from unwanted modification.

I’m wondering (in case not using Containment), how does the ransomware encryption process still pass thru HIPS safe mode when the user blocks every HIPS Alert?
Can this be prevented in some way?
It would be nice to have two protection layers, one by Containment and one by HIPS (safe mode).

@cruelsister , hi meghan. I am still rocking your config with containment and all the other setting you did recommend , and it still runs smooth and light , without the hassle of all those popups / warnong messages! hope you are doing fine in NYC! :slight_smile:

1 Like

Cruelsister states CIS HIPS gets bypassed when running it in Safe Mode.

If you add ?:* to protected files then all drivers will be protected from unwanted modification.
Drivers, .sys files, are protected executables.

Looking forward to hear more in depth comments from cruelsister. :slight_smile:

So does this mean using HIPS with the default - recommended by Comodo itself - is unsafe?

HIPS mode won’t matter if the files that are being encrypted are not listed under protected files, which for ransomware will target non-executable files such as documents, videos, pictures, and music files. I ran a sample with HIPS only, and no files were encrypted because I have ?:* added to protected files along with additional items under protected COM interfaces.

When using HIPS instead of auto-containment to protect the system it is important to add and customize protected files, registry keys, and/or COM interfaces.

Please elaborate on what settings we have to add or customize to get the best ransomware HIPS protection.

Thanks. I was reading back your previous post and I think I responded to a typo? When you wrote drivers did you mean drives?

Do you mean you add ?:* to Protected Files and not to Protected Data?

What registry keys and COM interface do you add to a HIPS only set up?

Yes, would like to see more about how to make HIPS harder.

EDIT: …maybe in a new separate thread.

With the standard proactive configuration but without activating HIPS, but only by activating containment and all that the proactive configuration requires, can I feel comfortable?
By activating HIPS I am afraid of making wrong choices and I do not know if it is better to activate the “block all” or “allow all” choices